To support using Kerberos authentication for Mobile SSO for iOS, Workspace ONE Access provides a cloud hosted KDC service.

The KDC service hosted in the cloud must be used when the Workspace ONE Access service deployed with Workspace ONE UEM in a Windows environment. The KDC service hosted in the cloud can also be used in a Workspace ONE Access cloud-hosted deployment.

When you configure Mobile SSO for iOS authentication, you configure the realm name for the cloud hosted KDC service. The realm is the name of the administrative entity that maintains authentication data. When you click Save, the Workspace ONE Access service is registered with the cloud hosted KDC service. The data that is stored in the KDC service is based on your configuration of the Mobile SSO for iOS authentication method. The data includes the CA certificate, the OCSP signing certificate, and the OCSP request configuration details.

The logging records are stored in the cloud service. The Personally Identifiable Information (PII) in the logging records includes the following.
  • The Kerberos principal name from the user's profile
  • The subject DN, UPN, and email SAN values
  • The device ID from the user's certificate
  • The FQDN of the IDM service that the user is accessing

To use the cloud hosted KDC service, Workspace ONE Access must be configured as follows.

  • The FQDN of the Workspace ONE Access service must be reachable from the Internet. The SSL/TLS certificate used by Workspace ONE Access must be publicly signed.
    If you configure Workspace ONE Access with an external firewall, allow list the appropriate IP addresses or URLs .
  • An outbound request/response port 88 (UDP) and port 443 (HTTPS/TCP) must be accessible from the service.
  • If you enable OCSP, the OCSP responder must be reachable from the Internet.